Login, Home Realm Discovery and MFA
FoxIDs handle user login in the login authentication method. There can be configured a number of login authentication methods per environment with different configurations and look and feel.
A environment contains one user repository and all login authentication methods configured in a environment authenticate users with the same user repository.
When a user authenticates, the user's session is associated with the login authentication method. Therefore, a user can authenticate in multiple configured login authentication methods and have multiple separate user sessions.
A user session is not established in the login authentication method if the session lifetime is set to 0 seconds.
A OpenID Connect application registration or SAML 2.0 application registration can authenticate users by selecting an login authentication method.
The login authentication method authenticates users in a two-step login UI with the username and password input on two separate pages.
Home Realm Discovery (HRD)
When you create a application registration it is most often the best solution to use the default star notation (*)
to select the authentication methods.
If a application registration is configured to only be allowed to use one authentication method the user is immediately redirected to that particular authentication method.
If more than one authentication method is allowed the user is redirected to a login authentication method which make it possible to select an authentication method either by writing an email (looking at the domain) or by clicking a HRD button.
It is possible to select up to 4 authentication methods by name or use the star notation (*)
, please see more about selection.
One or more domains can be configured for each authentication method and if an HRD button should be shown to the user. An HRD button will be displayed for the authentication method if no domain or wildcard is configured.
An example of how a login screen with HRD looks like, it can be customised.
The title, icon and CSS configured on the first allowed login authentication method on the application registration is used. Without an allowed login authentication method configured the title, icon and CSS from the default login authentication method is used.
Two-factor authentication (2FA/MFA)
A login authentication method support two-factor authentication (2FA) / multi-factor authentication (MFA) with an authenticator app, SMS and email.
Two-factor authentication with an authenticator app, SMS and email is per default enabled and is initiated if required.
Two-factor authentication can be set as a requirement in each login authentication method, per user or required by the calling OpenID Connect or SAML 2.0 application registration.
You can use a two-factor authenticator app of your choice like Anthy, Google Authenticator, Microsoft Authenticator and others.
In this example the user is asked to do two-factor authentication with an authenticator app or change to use SMS or email.
The two-factor authentication type is selected as shown in this table.
SMS two-factor enabled and user has phone number | Email two-factor enabled and user has email | User has registered authenticator app | Possible two-factor type(s) | Selected two-factor type |
---|---|---|---|---|
false | false | false | Authenticator app | Authenticator app |
false | false | true | Authenticator app | Authenticator app |
true | false | false | SMS - can register authenticator app after SMS verification | SMS |
true | false | true | SMS and authenticator app | Authenticator app |
false | true | false | Email - can register authenticator app after email verification | |
false | true | true | Email and authenticator app | Authenticator app |
true | true | false | SMS and mail - can register authenticator app after SMS/email verification | SMS |
true | true | true | SMS, email and authenticator app | Authenticator app |
Login configuration
A default login authentication method is created in each environment.
The default login with the name
login
can be changed but not deleted, be careful as you may lose access.
The title, icon and CSS configured on the default login authentication method is use in the case where no login authentication method is selected e.g., on the error page or during HRD selection without a login authentication method.
Configure login options
It can be configured whether users should be allowed to reset there password, whether users are allowed to create a new user online, which user identifiers to use, the UI can be customised and much more.
New users can be created by the administrator through the Control Client or be provisioned through the Control API.
Configure two-factor authentication (2FA)
The two-factor options can be changed and the authenticator app name shown for the user's can be changed. The name is per default set to the tenant's name. You most likely want to change the name to something more human readable.
You can select to require two-factor authentication for all users authenticating using the login authentication method.
Configure user session
Click Show advanced to change the user sessions lifetime. The default lifetime is 10 hours.
The user session is a sliding session, where the lifetime is extended every time, an application makes a login request until the absolute session lifetime is reached.
It is possible to configure an absolute session lifetime or not.
The user session can be changed to a persistent session which is preserved when the browser is closed and reopened.
The user session become a persistent session if either the persistent session lifetime is configured to be grater, then 0. Or the persistent session lifetime unlimited setting is set to Yes.
Click the
User session
tag to see all session settings.
Configure claims
You can change the claims the login authentication method forwards with claim transforms.
All login configurations
All login configurations are available after clicking Show advanced.